Encryption is Very, Very Hard to Crack

By Luther Martin — September 3, 2015

The recent Retail Information System report titled, “Security First Strategies”, has some interesting information about how well businesses are prepared for data breaches. One of the more surprising bits of information in this report, to me, was the answer to this question:

How effective do you think point-to-point encryption and tokenization will be in guaranteeing security of sensitive payment and customer information?

A full 38.2% of people who answered this question picked “Effective tool but hackers will crack it.”

That’s surprising.

And it’s not surprising.

It all depends on what the respondents mean by “crack it.”

Usually this means to defeat the security provided by a cryptographic algorithm by recovering a key through some sort of clever cryptanalytic attack. If that is how people interpreted “crack it,” that is surprising. Encryption is very, very hard to crack.

At the recent “The Impending End of RSA” workshop that DARPA sponsored, Dan Bernstein gave an interesting talk in which he summarized how hard it is to crack commonly used keys in terms of how much energy is needed to power the cracking calculation.

For a key that provides 80 bits of security (like a 1,024-bit RSA key), Dan estimated that one can build a computer that will crack a key in about one year, but powering that computer will take almost exactly the entire output of a power plant for that year. That is almost believable, and it is just plausible enough to be the basis for the plot of an espionage novel.

But when anyone moves to 112 bits of security (like a 2,048-bit RSA key), Dan estimated that hackers can still crack a key in about a year, but doing it will take just about the amount of energy that the Earth receives from the sun for that year. Scale this to the amount of energy needed to crack a 128-bit AES key, and we find that the amount of energy needed is roughly the same amount the Earth receives from the sun in over 65,000 years.

That is not even close to being believable, and is the sort of thing that can be taken from the plot of an espionage novel to the plot of a science-fiction novel. During his talk, Dan even joked that a better name for the workshop might have been “The Impending End of RSA 1,024,” because the 112 bits of security that RSA 2,048 provides is so strong that it requires some very aggressive assumptions about technology and the advance of cryptanalysis to even bring it into the realm of a suitable plot for an espionage novel.

Movie Magic

But perceptions are not always aligned with reality. Part of this is probably due to the marketing efforts of security vendors, while another part is probably due to the inaccurate portrayal of some security technologies by TV shows and movies. You might remember this exchange from the movie, The Adventures of Buckaroo Banzai Across the 8th Dimension:

(RAWHIDE and BILLY TRAVERS are trying to access information on Yoyodyne’s network, but are being thwarted by encryption.)

Cracking encryption is absolutely never as easy as typing “G-cipher,” however, because it is portrayed that way in movies, many people (maybe about 38.2% of them) end up believing that it actually is that easy to crack.

That really is not a reflection on the people who end up with that misunderstanding. Encryption is hard and requires lots of arcane math to really understand how it works and why it is secure. Unless someone is a specialist in that particular area, it probably is not worth the significant time and effort needed to understand material that difficult. After all, as Calvin Coolidge said, “The business of America is business.” It is not payment processing. And it is definitely not encryption.

So it is perfectly reasonable to expect people to not really understand encryption and the protection that it provides. But because it is so much easier to get inaccurate information from how encryption is portrayed in movies, it should not be too surprising that so many people do not have an accurate understanding of how good the protection provided by encryption really is. Encryption is not the sort of thing that anyone can bypass by typing a few characters on a keyboard. It is the sort of thing that takes implausible amounts of resources to actually carry out. And it is definitely not the sort of thing that hackers are going to crack any time soon.

Learn more about our data encryption technology for email, files, documents and databases.